Analytical Hierarchy Process Approach for the Metrics of Information Security Management Framework

Moeti, Michael N.; Kalema, Billy Mathias

doi:10.1109/cicsyn.2014.31

Cited by 5 publications

(2 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although the paper mentions the use of 3 levels of information security risk criteria in the evaluation, it does not specify exactly what the criteria are as well as their calculated weights. In their work [60], Moeti and Kalema identified the metrics required to design an information security management framework and classified them into categories, whereby metric validation was made by using the AHP. The results of the study indicate that environmental metrics are critical for managing information security, where in that category belong malicious code threats, inherent vulnerabilities in the information system and networks, and the regulatory and legal framework.…”

Section: Analysis Of Papersmentioning

confidence: 99%

A Systematic Literature Review on the Application of Multicriteria Decision Making Methods for Information Security Risk Assessment

Maček¹,

Magdalenić²,

Ređep³

2020

IJSSE

View full text Add to dashboard Cite

In today's fast, agile, complex and interconnected business world, one of the main goals and concerns is to find an efficient and effective way of managing information security risks. So, one of the means is usage of multicriteria decision-making techniques for such purposes. The vast majority of research begins with some form of literature review. Thus, the review of the literature must be done thoroughly and impartially in order to obtain certain scientific value. This paper provides a systematic literature review (SLR) of relevant and recent literature from both research domains, namely information security risk management and multicriteria decision-making, identifying the standards, methods, techniques and tools that are considered to be the most relevant in the research areas observed. The main purpose of the paper is to discover complementary ISRA and MCDM methods that could be used as a basis to create a new hybrid model for more efficient evaluation of critical IT solutions. The related context, main goals, review methods, relevant results of each research phase along with the findings, papers' analysis, recommendations and conclusions are all given in this review article in order to fully comply with the SLR requirements.

show abstract

Section: Analysis Of Papersmentioning

confidence: 99%

A Systematic Literature Review on the Application of Multicriteria Decision Making Methods for Information Security Risk Assessment

Maček¹,

Magdalenić²,

Ređep³

2020

IJSSE

View full text Add to dashboard Cite

show abstract

“…This approach allows for the customization of metric weights based on specific organizational requirements and risk factors. Early uses of AHP in security metrics (e.g., Moeti and Kalema [41] and Turskis et al [42]) purely rely on human judgements (not using well-established computed metrics). Sun et al [22] design an automatic security analysis tool that integrates security metrics collection, management, and visualization to understand the security of computer systems.…”

Section: Related Workmentioning

confidence: 99%

Risk Score Aggregation for Security Evaluation in Network Environments

Lei

View full text Add to dashboard Cite

With the increasing complexity of network environments, evaluating security risks can be a challenge. Quantitatively scoring computer systems or networks based on specific threats or concerns can facilitate the comparison of their security levels. Such scoring needs considering multiple security risk factors and multiple systems to enable meaningful comparisons, determining whether one system or network is relatively more secure than another. Our research aims to address this challenge by developing a comprehensive risk score aggregation methodology for evaluating security in modern network environments. In this thesis, we present two approaches to risk score aggregation: multi-factor aggregation for systems and multi-target aggregation for networks.In the first work, we propose an aggregation approach that combines machine measurements with human decision making for aggregating well-established individual risk factors into a risk score for a system. Specifically, we modify the Analytic Hierarchy Process (AHP) to facilitate group decision-making among selected "experts" who can derive the weights of individual risk factors for aggregation. We showcase the feasibility of our approach by selecting several common metrics to measure the target systems in our testbed and conducting an AHP survey with seventeen experts. The resulting overall aggregated scores for the target systems demonstrate how our approach enables the comparison of the overall security between those systems. By considering cloud-oriented settings, we also showcase how this approach i can be applicable to today's virtualized environments.The existing state-of-the-art approaches for aggregating multiple systems only consider one target in a network. The aggregation of risks scores of multiple targets is still yet to be explored. To this end, we propose another aggregation approach that uses the well-established attack paths as inter-system influences, treating each system as a potential target, to calculate cumulative attack probabilities for each system. We further aggregate these probabilities (i.e., the risk scores) into a single risk score for the entire network. To evaluate this approach, we consider several typical network types, including virtually hosted telecom networks such as 5G core and 5G Mobile Access Edge Computing (MEC) along with two additional network types. We employed the dataset collected from a real research data center. The results show that our approach can be generalized and applied to assess the security of various type of network.By considering multiple risk factors and interconnected entities/systems in network environments, we believe that our proposed methodologies for risk score aggregation can provide valuable insights and contribute to the research on risk assessments in modern IT environments. Prior PublicationA publication has arisen as a direct result of the research in this thesis and another manuscript under review. While these works represent joint contributions of all authors, any sections reproduced in this th...

show abstract

A Hybrid Decision-making Approach to Security Metrics Aggregation in Cloud Environments

Lei

Zhao

Pourzandi

et al. 2022

2022 IEEE International Conference on Cloud Computing Technology and Science (CloudCom)

View full text Add to dashboard Cite

Analytical Hierarchy Process Approach for the Metrics of Information Security Management Framework

Cited by 5 publications

References 9 publications

A Systematic Literature Review on the Application of Multicriteria Decision Making Methods for Information Security Risk Assessment

A Systematic Literature Review on the Application of Multicriteria Decision Making Methods for Information Security Risk Assessment

Risk Score Aggregation for Security Evaluation in Network Environments

A Hybrid Decision-making Approach to Security Metrics Aggregation in Cloud Environments

Contact Info

Product

Resources

About